Download CIS 442_Chapter5_

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
Document related concepts

Trusted Computing wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Mobile security wikipedia , lookup

Antivirus software wikipedia , lookup

Malware wikipedia , lookup

Unix security wikipedia , lookup

Computer virus wikipedia , lookup

Transcript 
CIS 442: Chapter 5
Prevention and Defense
Understanding vulnerabilities
•
•
•
•
•
•
•
Examples of vulnerabilities or weaknesses:
User apathy
Insufficient security control
Misuse of available security features
Weaknesses in the operating system
Unauthorized use
Anonymity of networks
Steps to protect a system
• (1) identifying vulnerabilities to viruses.
• (2) correcting them, and plugging up security
holes, and,
• (3) monitoring the results.
Resources for virus prevention
• Training seminars
• Any decisions pertaining to the acquisition of new software
and hardware should involve security experts
• Monitoring user and network activity
• Emergency policies must exist and users should be trained
in them
• Limited sharing
• “no external storage” policy
• A company clearinghouse
• “installing programs” policy.
• Self isolation in an attack
• Audit
• Backup
Defenses Against Malware
• Virus defense should involve:
• (1) technical means, some of which are described
here
• (2) common sense in using your computer, and,
• (3) legal means.
• Applying all three approaches can keep a user out
of trouble for a long time, although perhaps not
forever.
• use common sense and be careful in using the
computer
• limit transitivity
Anti-Virus Software
• How can AV be very useful and can be useless?
• In spite of its usefulness, anti-virus software has a
few problems that users should be aware of:
• The main problem with anti-virus software, in the
opinion of this author, is that a new virus may
spread quickly and infect thousands of computers
worldwide before any anti-virus software makers
can isolate and analyze it and issue an update,
and certainly before most users can download,
install, and run this update.
• It takes perhaps an hour to scan and search an entire
disk for viruses, but certain users consider this time
period too long.
• The reason anti-virus software is fast is that it knows
where in a file each virus is hidden and it checks only
those locations.
• A user may use anti-virus software improperly. The
software should be set to scan every disk drive, flash
memory, CD, and DVD inserted into a drive or plugged
into a port in the computer, but it should also be
executed on a regular basis to scan the hard drive and
all backup disks.
• A file may contain a bit pattern identical or very close
to that of a known virus.
• Finally, anti-virus software is effective only against
known viruses.
• A continuous integrity checker checks a file each time
the file is opened.
• The integrity checker has saved the time T the file was
last opened and checked by the integrity checker (the
file size was also saved).
• If the file has a modification time different from T (or if
its size differs from what it was at time T), the integrity
checker raises an alarm.
AV goals or tasks
• Ideally, we expect anti-virus software to accomplish the following
goals:
• To detect all known viruses and malware that already exist in the
computer, advise the user on each occurrence of rogue software
discovered, and help the user to delete them.
• To detect unknown viruses
• To scan incoming email, all downloaded files, and any removable
storage devices inserted into the computer, and detect all known
viruses and malware in them.
• It is not enough to run this type of anti-virus software only from
time to time. Instead, it has to be a startup item; it has to be
launched automatically (i.e., by the operating system) each time the
computer is started or is reset, and it has to reside in memory and
be invoked by an interrupt each time any of the following actions
takes place: (1) email is examined, (2) a file arrives from the
outside, and (3) a new storage device is mounted.
• To record all its activities in a log file. Such a file should be examined
by a person, because anti-virus software may accidentally suspect a
clean file of harboring a virus and may delete or disinfect it.
• Also, when a virus is found in an incoming email message, the sender
has to be notified. Imagine a virus infecting a computer owned by A.
The virus searches the computer for email addresses (most personal
computers have an address book with names and
email addresses) and sends email messages to every addressee found,
with an attachment and some text enticing the receiver to open the
attachment.
• When anti-virus software on another computer receives a message
from A and discovers a virus in it, A should be notified. Thus, anti-virus
operations should not be transparent to the user/owner.
Generic and specific detection methods
• Virus-specific detection methods, as their name
implies, look for and identify specific viruses.
Most anti-virus software operates this way.
• Generic virus detection techniques don’t look for
specific viruses but instead examine the
computer (files on the disk and programs in
memory) for anything suspicious, unusual, or
anomalous.
• A virus preventive technique creates an
environment in the computer where viruses
hesitate before they enter, or cannot thrive (i.e.,
execute) once they have entered
AV process challenges or difficulties
• Disassembling a program is much more
complex and error-prone than assembling it.
– Machine instructions have different sizes
– A program is a mixture of instructions and data,
but the assembler translates everything into bits
– When a program is written in assembler language,
certain instructions are labeled, so they can be
referred to from other places in the program.
• The virus author may include several sections of
unnecessary and unused code in the original program,
some of it consisting of random numbers, in an
attempt to confuse detectives and throw them off the
right track.
• The virus may make decisions based on random
numbers, it may mutate and it may compress and
encrypt itself in different ways, depending on different
keys.
• Once the virus code is understood, experts identify
certain bit strings that constitute the “signature” of the
virus. Anti-virus software that looks for specific viruses
will have to look for those strings in executable files.
• Thus, anti-virus software should scan compressed
files as an option. If a frequently-used disk has
many compressed files and they slow down the
anti-virus scan considerably, the owner may
consider encrypting them.
• Another problem with disinfecting a file is that
the file may contain a bit pattern identical or very
close to that of a known virus. Disinfecting such a
file (which is clean) leaves a damaged and
unusable file. On the other hand, replacing the
file with a clean version causes no harm.
• Generic anti-virus software does not look for
the signature of any particular virus. Instead, it
looks for suspicious activities and nauthorized
modifications of operating system routines.
• This kind of software consists of two general
types, activity monitors and behavior (or
integrity) checkers.
Preventive techniques
• Anti-malware organizations maintain useful
online information on recent viruses and other
malware
• All external disks and removable cartridges, and
most flash memories have a write-protect option.
• Operating systems can greatly help in
implementing preventive measures
• An open-source operating system has several
advantages, but it also constitutes a preventive
measure because it enables programmers to
peruse the source code and find security
weaknesses.
• The Windows operating system by Microsoft has close ties
to several applications, such as Outlook Express and
Internet Explorer, also by Microsoft.
• Computers can perform complex tasks, but such tasks
require complex programs. Without a program, a computer
can do nothing. Programs are steadily becoming more
complex and powerful, but are still no substitute for human
intelligence.
• Those who are part of an organization sometimes get news,
rumors, and warnings about viruses from buddies in the
office or elsewhere. Those should be forwarded to the
person in charge of security for confirmation
• Obviously, an attachment in an email message
from an unknown person should not be opened,
but what about an attachment in a message from
a familiar, trusted person?
• A similar point is to be suspicious of files (mostly
executable files, but also data files that can have
macros) downloaded from newsgroups, from
hacking/cracking Web servers, or from new,
unfamiliar Web sites that offer useful and
inexpensive software.
• Even a program sent by a trusted source may be
infected. Recall that a virus may lay dormant for a
long time before it releases its payload
• Many applications may benefit from a macro
facility, but virtually all
• known macro viruses infect data files for
Microsoft Word and Microsoft Excel, two
components of the well-known Microsoft Office
suite.
• Such files should be considered potentially
dangerous, especially when received in email
• Anti-virus software can scan mounted disks
and flash memories, so it should be used as a
preventive measure.
• A firewall can stop viruses and is therefore a
preventive measure.
• Older personal computers had to be booted
from floppy disks. Later models had hard disks
with the operating system installed, so
booting from a floppy became an option.
• Two advanced and popular email programs,
Outlook and Outlook Express, are particularly
vulnerable to email infection
• Most operating systems support file names
with extensions. The extension (often three
letters) associates the file with an application
and serves as handy identification.
• Another important preventive measure is to
have regular backups of all important files.
Backups
• Backup as a last defense activity. [fault
tolerance].
• Backup options [ onsite and offsite] partially
or full backup.
Suspicious activities
• A file has a “time stamp” indicating the last time it has been modified. If
an old file turns out to have a recent modification date, it should be cause
for suspicion. The length of a program (executable) file should normally
stay the same. Any unexplainable change in the length of such a file is also
a reason to suspect that a virus attached itself to the file.
• A familiar program suddenly slows down or takes longer than usual to
start.
• Simple tasks require excessive disk access.
• A program tries to write to a CD (which is normally read only).
• Programs suddenly indicate less available memory than in the past.
• The computer restarts itself suddenly, for no apparent reason, or requests
permission to restart, citing an official-looking but unfamiliar reason.
• Unusual or irrelevant messages are displayed on the monitor screen.
• There is suddenly an unusual amount of network traffic. This is easy to
detect when a modem (telephone or cable) is used. The lights on the
modem flicker quickly, indicating heavy network traffic, while legitimate
programs run slow.
Vaccines
• Vaccines. Someone thinking about virus
eradication may come up with the following idea.
• A virus normally checks a file before infecting it,
looking for its (the virus’) signature to avoid
secondary infection.
• If the signature of a virus is known, we may
embed it in all the files in our computer, which
will fool the virus. This is the concept of a vaccine.
It’s a simple concept, but it fails in practice for the
following reasons:
• There are many known viruses and new ones appear all
the time.
• Some viruses don’t leave a signature and simply
reinfect any given file again and again.
• In extreme cases, vaccination may do more damage
than the virus itself
• The signatures of different viruses may conflict, so
vaccinating against one virus may expose a file up to
infection by another virus
• Self repair. Error-detecting and error-correcting codes
are currently very common and can be very powerful
Self correction
• The principle of correcting errors through increased
redundancy can be carried out to virus detection and
elimination.
• Imagine a program that has redundant bits, so it can check
itself every time it is launched and even correct many
errors in itself. When such a program gets infected by a
virus, the next check will detect a problem.
• If the problem cannot be corrected automatically, the
program will notify the user and will quit.
• Such a self-correcting program seems a good weapon in the
war against viruses, and it is, but only up to a point.
• Once virus writers learn of this trend, they may counter it in
various ways, some of which are listed here:
• The obvious problem is that the virus writer will
discover how the redundancy was generated (the
formula or the algorithm to compute the
redundant bits).
• A virus may be written specifically to modify the
redundant part of a program in a way that will
infect the program.
• Even in cases where the virus knows (or suspects)
only that redundancy is used to protect a
program, the virus can defeat this protection
• Limit permissions. Most viruses infect executable programs, so it
seems that it should be enough to limit the permissions of
executable programs.
• Software fault tolerance. The concept of fault tolerance is to have
several copies of the same hardware circuit or the same software
program.
• When one copy fails, another copy is immediately used instead.
• A cryptographic checksum. Normally, a checksum or a CRC is
enough to guarantee the integrity of a data file. If the file is
modified as a result of data corruption, its new CRC will differ from
the original CRC.
• The discussion on page 86, however, shows that a virus can embed
itself in a file and change bytes of data until the new CRC of the
infected file equals the original CRC.
Botnets, Zombies, and Remote Control
• A botnet is a collection of compromised computers (members) that
are controlled remotely by their (illegitimate) owner, who is often
referred to as a “botherd” or “botherder.”
• Each member computer of a botnet is running a bot program and
these programs work either separately (stealing personal data, for
example) or together (sending a flood of messages to create a denial
of service in an attempt to compromise an important website).
• Writing and debugging the software of a sophisticated bot is a
demanding job that requires detailed knowledge of several fields.
• Here are examples of the special “skills” required for implementing
and releasing a potent bot: (1) How to invade Web servers and use
them to spread malware. (2) How to program malware in general. (3)
How to organize a botnet once enough computers have been
invaded and infected. (4) How to distribute spam and other malware
from a compromised host. (5) How to search a host for useful data.
(6) How to use this data to sell account information, commit credit
card fraud, or siphon money from bank accounts.
Hoaxes
• Virus hoaxes are reports of nonexistent viruses. They are propagated as email
messages that include some of the following:
• Announce the discovery of an undetectable, highly-destructive new virus.
• Warn users not to read emails with a particular subject line such as “Join the
Crew” or “Budweiser Frogs.”
• Pretend that the warning was issued by a well-known security organization,
ISP, or government agency, most often IBM, Microsoft, AOL, or the federal
communications commission (FCC) in the United States.
• Make a fantastic claim about the payload of a new virus. For example, a hoax
called “a moment of silence” claims “no program needs to be exchanged for a
new computer to be infected by this virus.”
• Employ nonsensical technical jargon to describe the effects of the virus.
• For example, a hoax called “good times” says that the virus can put the CPU
into “an nth-complexity infinite binary loop;” a nonexistent condition.
• Urge readers to forward the warning to others (such a hoax is known as a
chain letter).
Why Hoaxes are bad ?
•
•
•
•
•
•
•
Hoaxes can be as disruptive and costly as a genuine virus.
Users tend to believe a hoax, overreact to it, and forward hoax messages to
everyone on their mailing list. This can create a temporary deluge of email which
overloads mail servers and causes delays in delivering mail and even crashes. The
damage may be equivalent to that done by a real virus, with the difference that
the hoaxer doesn’t have to design, implement, and test any code.
An organization that receives a hoax may also overreact and take drastic action,
such as temporarily closing down a mail server or shutting down its entire
network. This cripples communications and adversely affects normal business at
least as effectively as a real virus, again with very little effort on the part of the
hoaxer.
Virus experts who deal with real viruses and other threats may get distracted by a
hoax and waste precious time and effort trying to track it.
A hoax, like other rumors, can persist for a long time before it dies off, and its
cumulative effect (wasting users’ time and causing pain and suffering) may be out
of proportion to the work needed to start it.
A hoax can inspire new viruses (the opposite is also true). The “good time” hoax,
for example, was followed by a real “good time” virus (also called GT-Spoof).
A hoax may turn out to be real. This causes psychological damage followed by real
physical damage.
• Chain letters. An electronic chain letter is an email
message that urges
• readers to forward it to others. There are four main
types of chain letters as
• follows:
• Hoaxes. A chain letter may warn readers about a
terrorist attack, a
• scam, or a new computer security threat. Some of
these hoaxes can be
• classified as myths, but all should be ignored by
conscientious readers.
• Fake freebies.
• Petitions.
• Jokes and Pranks.
How to avoid hoaxes ?
• An organization should have a clear policy on
virus hoaxes
• Any security-conscious computer user should
be kept informed about hoaxes.
• Don’t forward chain email letters even if they
offer money, fame, gifts, or useful information
• When receiving unsolicited email don’t trust
any links in it, even if they seem familiar and
legitimate
Related documents
Viruses - StantonAPBiology
Viruses - StantonAPBiology
Name______________________________________Hour 1-2 3
Name______________________________________Hour 1-2 3
Understanding viruses classwork
Understanding viruses classwork
IHNV (Infectious Hematopoietic Necrosis Virus) is one of the most
IHNV (Infectious Hematopoietic Necrosis Virus) is one of the most
Deardorff COBRE seminar 082913 (PDF)
Deardorff COBRE seminar 082913 (PDF)
Virus Textbook Assignment
Virus Textbook Assignment
Chapter 24- Viruses, section review answers
Chapter 24- Viruses, section review answers
Contagion Worksheet
Contagion Worksheet
Virus Flipbook
Virus Flipbook
brehlik , kapás , váczi - ITIS Cannizzaro Colleferro
brehlik , kapás , váczi - ITIS Cannizzaro Colleferro